Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Traces

From: "Shawn Jackson" <sjackson () horizonusa com>
Date: Wed, 31 Dec 2003 12:18:42 -0800

        Eh' kinda. The TTL is decremented when the packet travels over a
router. If they don't set the TTL to a random number you know, "hey he's
eight hops away", but that's it. In a confined corporate network that
might work better, but on a network as dynamic as the internet, not all
paths have the same TTL so it's almost worthless, IMHO.

Shawn Jackson
Systems Administrator
Horizon USA
1190 Trademark Dr #107
Reno NV 89521
www.horizonusa.com
 
Email: sjackson () horizonusa com
Phone: (775) 858-2338
       (800) 325-1199 x338

-----Original Message-----
From: Fernando Gont [mailto:fernando () gont com ar] 
Sent: Wednesday, December 31, 2003 12:17 PM
To: Shawn Jackson; Gerson Sampaio; security-basics () securityfocus com
Subject: RE: Traces

At 14:46 16/12/2003 -0800, Shawn Jackson wrote:


        Sorry, I can't think of any off hand. But I'll try and give

you

a little information, if it helps at all. Depending on the type of
attack, how you will trace varies. In example, if you're suffering from
a DDoS attack, the chances that the originating IP address are that of
the initiator of the attack are slim to none. Additionally if it's a
no-response attack, (Syn Flood, teardrop) the return path address in

the

IP header is most likely forged seaming they don't require return
traffic.


For Syn-Flood and Teardrop, you can probably have an idea of where how
many 
hops away the attacker is, by guessing the initital TTL, and looking at
the 
TTL of the incoming SYN.
Of course, this will be useless if the initial TTL was set to a random
number.

For some types of DDoS, such as the "reflection" attacks, if the
reflecting 
hosts cooperate, you could use the same technique to have an idea of
where 
the attacker is.

In that case, you could do "triangulation" based on the TTL field of the

packets that get to the reflectors, and thus find (or have an idea) of 
where the attacker is.

Of course, if the attacker sets the TTL field to some "unusual" value,
this 
"technique" will be useless.


--
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org



---------------------------------------------------------------------------
----------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: